Controls of HR according to ISO 27001:2013

Prior to Employment

Primary Objective: “To ensure employees and contractors understand their responsibilities and are suitable for which they are considered.” In today’s world of digitisation, every organisation’s first concern is the security of their data, especially when employees and proprietary business data begin to mix.

Employees are prone to human error. They are human beings, not machines, after all. An average company uses approximately 20 software in which some of them would be cloud-based. Every cloud-based software requires passwords.

Data breaches happen because of the use of “weak, default or stolen passwords.” Therefore, it becomes essential to include “employee-driven” security mistakes, such as sending sensitive information to the wrong person, not disposing of company information correctly, not configuring IT systems correctly, or lost and stolen laptops and mobile devices.


Active steps should be taken to help your teams keep sensitive information safe and secure. An organisation 's hiring practices are essential to ensure that the most effective and efficient staffs are chosen and that the company is in compliance with legal recruitment requirements as pre-employment checks would go a long way in assuring that the company data is in safe hands.


The role of an HR professional in upholding your company’s security policies begins during the staff recruitment process. Pre-employment checks usually include criminal history investigations and credit reports. Some of the tests that are required for employment are:

Background checks (e.g., criminal, financial, professional, references)
• Confidentiality agreements
• Employee bonding to protect against losses due to theft, mistakes and neglect
(Note: Employee bonding is not always an accepted practice all over the world; in some countries, it is not legal.)
• Conflict of interest agreements
• Codes of professional conduct/ethics

When an individual is hired for a specific information security role, the organisation should make sure the candidate has the required competence to perform the function for which they are employed. If the candidate has access to the confidential information, they should sign a confidentiality agreement before giving him access to the report.

These are some steps that should be controlled by the HR during the recruitment process as this will help the organisation, in the long run, to keep the company’s data safe and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Controls of HR according to ISO 27001:2013 – Transcend Quality Conformity Assessment Services Pvt. Ltd.